VMware is an extremely useful program that allows you to run multiple instances of operating systems from a single system. You can download VMware Server and VMware Player for free from http://www.vmware.com/products/free_virtualization.html for both Windows and Linux. The more powerful VMware ESX and Infrastructure products require commercial licenses.

I run VMware Server from my Windows workstation to run and access Linux and other operating platforms in parallel as needed during a network security assessment. From a networking perspective, VMware can be used in many configurations. I use a virtual NAT configuration that gives my virtual machines access to the network card of my workstation.

Microsoft Virtual PC is available for free from http://www.microsoft.com/windows/virtualpc/default.mspx. Most Linux, BSD, and Solaris platforms run under Virtual PC (a comprehensive list of supported operating platforms can be found at http://vpc.visualwin.com). Virtual PC can also be run from Mac OS X, to run Windows and other platforms. For more information, visit http://www.apple.com/macosx/applications/virtualpc/.

Microsoft Virtual Server is also available, and offers datacenter-class features such as rapid configuration and deployment of virtual machine images. Virtual Server is available from http://www.microsoft.com/windowsserversystem/virtualserver/default.mspx.

Parallels is a Mac OS-specific virtualization solution that allows users to run Microsoft Windows, Linux, and BSD-derived platforms within Mac OS X. Further details are available from the company web site at http://www.parallels.com.

As Windows releases (XP, 2003 Server, Vista, etc.) start to mature and become more flexible, many more network assessment and hacking tools that run cleanly on the platform are becoming available. Previous Windows releases didn’t give raw access to network sockets, so many tools had to be run from Unix-based platforms. This is no longer the case; increasing amounts of useful security utilities have been ported across to Windows, including Nmap and powerful tools within the Dsniff package, such as arpspoof.

Windows operating platforms are usually required within a network security assessment exercise to use tools that are run against Windows targets, such as Urity’s RpcScan, because it uses internal Windows libraries and components that are not easily available or ported to Unix-based platforms.

Linux is the platform of choice for most hackers and security consultants alike. Linux is versatile, and the system kernel provides low-level support for leading-edge technologies and protocols (Bluetooth and IPv6 are good examples at the time of writing). All mainstream IP-based attack and penetration tools can be built and run under Linux with no problems, due to the inclusion of extensive networking libraries such as libpcap.

At the time of writing, the most popular Linux distributions are:

Binary distributions like Ubuntu are useful and reliable, and are updated easily using apt-get or aptitude package management programs. Many large companies, including Google, use Ubuntu on both client workstation and server systems. Maintaining binary Linux distributions is much simpler than using source distributions, such as Gentoo, which require compilation of new software components.

Mac OS X is a BSD-derived operating system. The underlying system looks and feels very much like any Unix environment, with standard command shells (such as sh, csh, and bash) and useful network utilities that can be used during an IP-based network security assessment (including telnet, ftp, rpcinfo, snmpwalk, host, and dig).

Mac OS X is supplied with a compiler and many header and library files that allow for specific assessment tools to be built, including Nmap, Nessus, and Nikto. Many other tools and packages are available for Mac OS X via DarwinPorts (http://www.darwinports.com) and Fink (http://www.finkproject.org).

Nmap is a port scanner used to scan large networks and perform low-level ICMP, TCP, and UDP analysis. Nmap supports a large number of scanning techniques, also offering a number of advanced features such as service protocol fingerprinting, IP fingerprinting, stealth scanning, and low-level network traffic filter analysis. Nmap is available from http://www.insecure.org/nmap. Currently, Nmap can be run under most operating platforms, including Windows, Linux, and Mac OS X.

Nessus is a vulnerability assessment package that can perform many automated tests against a target network, including ICMP, TCP, and UDP scanning, testing of specific network services (such as Apache, MySQL, Oracle, Microsoft IIS, and many others), and rich reporting of vulnerabilities identified.

Having run the Sentinel testing platform and evaluated the security consultants of the world’s largest penetration testing providers, I know that all of them use Nessus to perform bulk network scanning and assessment, from which manual qualification and use of specific tools and techniques follows. Nessus has two components (daemon and client) and deploys in a distributed fashion that permits effective network coverage and management.

Nessus reporting is comprehensive in most cases. However, reports often contain a number of false positives and a lot of noise (as issues are often not reported concisely or different iterations of the same issue are reported), so it is important that consultants manually parse Nessus output, perform qualification, and produce an accurate and concise handwritten report. As with many other tools, Nessus uses CVE references to report issues. CVE is a detailed list of common vulnerabilities maintained by the MITRE Corporation (http://cve.mitre.org).

Nessus is available for free download from http://www.nessus.org, and can be run under Linux, Solaris, Windows, Mac OS X, and other platforms. Tenable Security maintains a commercially supported and up-to-date branch of Nessus and its scanning scripts, which has enhanced features relating to SCADA testing and compliance auditing under Windows and Unix. Further information is available from http://www.tenablesecurity.com/products/nessus.shtml.

Commercial scanning packages are used by many network administrators and those responsible for the security of large networks. Although not cheap (with software licenses often in the magnitude of tens of thousands of dollars), commercial systems are supported and maintained by the respective vendor, so vulnerability databases are kept up-to-date. With this level of professional support, a network administrator can assure the security of his network to a certain level.

Here’s a selection of popular commercial packages:

An issue with such one-stop automated vulnerability assessment packages is that, increasingly, they record false positive results. As with Nessus, it is often advisable to use a commercial scanner to perform an initial bulk scanning and network service assessment of a network, then fully qualify and investigate vulnerabilities by hand to produce accurate results. Matta Colossus addresses this by allowing the user to supervise a scan as it is conducted, and also to edit the final report.

The Metasploit Framework (MSF) (http://www.metasploit.com) is an advanced open source platform for developing, testing, and using exploit code. The project initially started off as a portable network game and then evolved into a powerful tool for penetration testing, exploit development, and vulnerability research.

The framework and exploit scripts are written in Ruby, and widespread support for the language allows MSF to run on almost any Unix-like system under its default configuration. The system itself can be accessed and controlled through a command-line interpreter or web interface running from a suitable server.

Metasploit exploit modules are reliable and cover exploitation of the most popular vulnerabilities uncovered in Windows- and Unix-based platforms since 2004. A very useful feature in the current version (3.0 at the time of writing) is a reverse VNC server injection mechanism, which is invaluable when repositioning through Windows servers.

Security consultants use commercial exploitation frameworks to perform penetration and repositioning tasks. At the time of writing, the two leading commercially available exploitation frameworks are CORE IMPACT and Immunity CANVAS. These tools are feature-rich, reliable, and commercially supported, offering advanced features such as repositioning using agent software. Also, third-party companies (including Argeniss and GLEG) offer zero-day exploit packs, which can be integrated into these systems to exploit unpublished zero-day vulnerabilities.

These exploitation frameworks are discussed along with Metasploit Framework in Chapter 16. For current details relating to IMPACT and CANVAS, you can visit their respective vendor web sites:

Details of the GLEG and Argeniss 0day exploit packs, containing numerous unpublished exploit scripts, can be found at their respective web sites:

A number of companies offer commercially available web application testing tools. Through running the Matta Sentinel program, we have had exposure to a number of these, and evaluated them accordingly. Three such commercial web application scanners used by professional security consultants are: